Google Mandiant Discovers MSI Vulnerability in Lakeside Software

A critical vulnerability has been identified in the Microsoft installer for SysTrack LsiAgent, a product by Lakeside Software, enabling users with limited privileges to gain elevated access to the system. The flaw, uncovered by Google Mandiant, is classified as a local privilege escalation vulnerability and has been assigned a high-severity rating of 7.8 under CVE-2023-6080. This issue allows potential attackers to achieve system-level privileges upon exploitation.

The vulnerability originates from a function within the SysTrack LsiAgent Installer known as the repair function. This feature is typically designed to assist users in resolving issues with installed software. However, during its operation, this function inadvertently allows the creation and execution of files with the privileges of the NT AUTHORITY\SYSTEM account—one of the most powerful default accounts in Windows.

Mandiant demonstrated that by using a real-time file monitoring tool called Process Monitor, they could observe file operations executed during the repair task of the SysTrack installer. Analysis revealed that while running under limited user privileges, the installer allowed the creation and execution of files within the user’s temporary folder (%TEMP%), a location accessible for writing by underprivileged users.

Further investigation by the researchers indicated a race condition vulnerability accompany this exploit, which permits attackers to send simultaneous requests that could potentially overwrite data being modified. Mandiant subsequently created a PowerShell script to exploit this condition, effectively allowing them to execute test files in place of legitimate binaries.

As a consequence, not only does the identified vulnerability facilitate the escalation of privileges, but it also enables attackers to manipulate files within the NT AUTHORITY\SYSTEM context, thereby permitting arbitrary code execution. This dual capability raises significant security concerns, especially as misconfigured actions in MSI packages can lead to diminished visibility and control over system operations.

To mitigate this risk, Mandiant advises developers to adhere to secure coding standards and ensure all privileged file operations are conducted from secure directories. Enhancing permissions settings for these directories or utilizing Windows’ built-in folders, which offer inherent protections against low-privilege users, is recommended.

Lakeside Software has addressed the flaw with a patch issued in August 2024, following the alert from Google. This incident not only highlights the vulnerabilities in third-party software installation processes but also sheds light on the ongoing security challenges inherent within software development, particularly those involving privilege escalation tactics as classified within the MITRE ATT&CK framework.